Skip to main content
banner image
venafi logo

How Policies Prevent Peril for Machine Identities

How Policies Prevent Peril for Machine Identities

Machine Identity Automation
November 27, 2018 | Mark Miller

Do your administrators have policies that will help them maximize application security and ensure the safe use of machine identities? If they don’t, you may be setting them up to make mistakes that will end up costing both of you.

This is a lesson that I’ve seen many organizations learn the hard way. My team’s work includes educating the most high-tech security focused groups in the world’s largest organizations about machine identity protection. As such, we are laser-focused on sharing our expertise on x.509 SSL/TLS certificates and SSH keys, including all that can go right and all that can go wrong. In other words, we equip you to protect your machine identities, while avoiding the potential pitfalls of their misuse.

Let’s see how this works if you are an organization that is more mature in its use of machine identities. You have a complete inventory that you continuously monitor. You have an automated way to renew expiring or vulnerable machine identities. And you can push these machine identities back to their applications where they enable your lighting fast and reliable infrastructure.

Great job, you are well on your way to complete machine identity protection, but you are not done.

You may still have a problem. Your problem could be people, communication or domain expertise. Or maybe it is just the lack of a strict, documented and enforced policy for machine identities.

Let me give you an example. Only last week when I was helping resolve an issue, we witnessed two administrators argue about if they should issue an SHA-1 or a SHA-2 certificate. After letting them discuss amongst themselves for a moment, I politely chimed in that SHA-1 was shown to be weak years ago and according to our industry (and browsers) should not be used. Not to mention that it has been completely deprecated by all major browsers. Sadly, we still see people using SHA-1, even though we realized a long time ago that it was potentially vulnerable. Yet, despite extended news coverage, people are still using it and are seemingly unaware of the potential problems of doing so.

This fact was driven home to me not too long ago when I attended a training by Feisty Duck in London, “The Best TLS Training in The World”. One of my key take-aways from this awesome training was that even if you have strong use of keys utilizing your TLS protocol, you still have some very serious application settings you need to consider. You have some very specific settings that if configured poorly, can jeopardize even the best use of your keys and certificates. Do you know what the strongest settings are? Or better yet, are they documented so others can make good choices setting up the application?

If you don’t already have one, part of your security posture should include a strict and defined policy for machine identities. Your policy should dictate what applications settings are required and how your machine identities should be used.

We all know default settings will be the death of us, and yet we still get caught with them. Strong published, enforced and reviewed policy will not only help your administrators make great decisions, it will help them bridge the gap we all have in not being experts enough in our area of constantly changing technology and responsibility.

Are you helping your people be the best they can be by arming them with policies for machine identities?         

TIP:  If you can define and enforce machine identity policy, you are one step closer to the big dream of automation and achieving operational excellence by removing weak keys and preventing outages.

Related posts

Like this blog? We think you will love this.
picture of a red retro robot laying on the floor, head detached
Featured Blog

Are Your Machine Identities Getting the Respect They Deserve?

Even though organizations are clearly focusing more attention on protecting user iden

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Mark Miller
Mark Miller

Mark Miller is Senior Director, Enterprise Security Support, at Venafi, where he works with hundreds of the world’s largest companies to develop and implement strong, resilient cybersecurity strategies across a constantly evolving set of interlocking technologies. Mark has focused on building and leading strong teams to solve difficult product issues.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat